diff --git a/2024/10xxx/CVE-2024-10646.json b/2024/10xxx/CVE-2024-10646.json index 6896a35cfec..4ee9eafb5d5 100644 --- a/2024/10xxx/CVE-2024-10646.json +++ b/2024/10xxx/CVE-2024-10646.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10646", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "techjewel", + "product": { + "product_data": [ + { + "product_name": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "5.2.6" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41c2ec31-360d-4145-b0b4-77d4d1d4b8a1?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41c2ec31-360d-4145-b0b4-77d4d1d4b8a1?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/fluentform/tags/5.2.4", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/fluentform/tags/5.2.4" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset/3203147/fluentform/trunk/boot/globals.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset/3203147/fluentform/trunk/boot/globals.php" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Michael Mazzolini" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 7.2, + "baseSeverity": "HIGH" } ] } diff --git a/2024/10xxx/CVE-2024-10690.json b/2024/10xxx/CVE-2024-10690.json index 723cc42f037..13cbd78bbb7 100644 --- a/2024/10xxx/CVE-2024-10690.json +++ b/2024/10xxx/CVE-2024-10690.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-10690", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Shortcodes for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.4 via the 'SHORTCODE_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created with Elementor that they should not have access to." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639 Authorization Bypass Through User-Controlled Key", + "cweId": "CWE-639" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "rstheme2017", + "product": { + "product_data": [ + { + "product_name": "Shortcodes for Elementor", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.0.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5debe121-6373-4b56-8441-f0d4a5920089?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5debe121-6373-4b56-8441-f0d4a5920089?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207001%40shortcode-elementor&new=3207001%40shortcode-elementor&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207001%40shortcode-elementor&new=3207001%40shortcode-elementor&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Francesco Carlucci" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "baseScore": 4.3, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11752.json b/2024/11xxx/CVE-2024-11752.json index b636dcf44c9..1dd307563f1 100644 --- a/2024/11xxx/CVE-2024-11752.json +++ b/2024/11xxx/CVE-2024-11752.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11752", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Eveeno plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eveeno' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "babo2015", + "product": { + "product_data": [ + { + "product_name": "Eveeno", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.7" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e254f0ba-9008-44e9-bf8f-31c9614d6f64?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e254f0ba-9008-44e9-bf8f-31c9614d6f64?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/eveeno/trunk/eveeno.php#L150", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/eveeno/trunk/eveeno.php#L150" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3202716%40eveeno&new=3202716%40eveeno&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3202716%40eveeno&new=3202716%40eveeno&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "muhammad yudha" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12422.json b/2024/12xxx/CVE-2024-12422.json index 7daf35a53c5..da32b3f9c8c 100644 --- a/2024/12xxx/CVE-2024-12422.json +++ b/2024/12xxx/CVE-2024-12422.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12422", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "xylus", + "product": { + "product_data": [ + { + "product_name": "Import Eventbrite Events", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.7.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f799db97-ca61-439d-94ec-a44270d1cd07?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f799db97-ca61-439d-94ec-a44270d1cd07?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L16", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L16" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L17", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L17" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207381%40import-eventbrite-events&new=3207381%40import-eventbrite-events&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207381%40import-eventbrite-events&new=3207381%40import-eventbrite-events&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Dale Mavers" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12459.json b/2024/12xxx/CVE-2024-12459.json index 8c47490db52..b275efc7cd0 100644 --- a/2024/12xxx/CVE-2024-12459.json +++ b/2024/12xxx/CVE-2024-12459.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12459", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Ganohrs Toggle Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'toggle' shortcode in all versions up to, and including, 0.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "ganohr", + "product": { + "product_data": [ + { + "product_name": "Ganohrs Toggle Shortcode", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "0.2.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efd49905-0f2c-44b7-85c6-c2b77440ac17?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efd49905-0f2c-44b7-85c6-c2b77440ac17?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/ganohrs-toggle-shortcode/tags/0.2.4/ganohrs-toggle-shortcode.php#L350", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/ganohrs-toggle-shortcode/tags/0.2.4/ganohrs-toggle-shortcode.php#L350" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/ganohrs-toggle-shortcode/tags/0.2.4/ganohrs-toggle-shortcode.php#L98", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/ganohrs-toggle-shortcode/tags/0.2.4/ganohrs-toggle-shortcode.php#L98" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207393%40ganohrs-toggle-shortcode&new=3207393%40ganohrs-toggle-shortcode&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207393%40ganohrs-toggle-shortcode&new=3207393%40ganohrs-toggle-shortcode&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "muhammad yudha" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12474.json b/2024/12xxx/CVE-2024-12474.json index f8c7e4c124e..b6a9187b00d 100644 --- a/2024/12xxx/CVE-2024-12474.json +++ b/2024/12xxx/CVE-2024-12474.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12474", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The GeoDataSource Country Region DropDown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gds-country-dropdown' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "geodatasource", + "product": { + "product_data": [ + { + "product_name": "GeoDataSource Country Region DropDown", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.0.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c974726e-9371-40e5-8664-c12c8c06e5b9?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c974726e-9371-40e5-8664-c12c8c06e5b9?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207322%40geodatasource-country-region-dropdown&new=3207322%40geodatasource-country-region-dropdown&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207322%40geodatasource-country-region-dropdown&new=3207322%40geodatasource-country-region-dropdown&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "zakaria" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12501.json b/2024/12xxx/CVE-2024-12501.json index e054ed1e9cf..89c5a27cace 100644 --- a/2024/12xxx/CVE-2024-12501.json +++ b/2024/12xxx/CVE-2024-12501.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12501", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Simple Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "kylephillips", + "product": { + "product_data": [ + { + "product_name": "Simple Locator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.0.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38cb5e43-56d0-40b6-936a-f10f15d2e72f?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38cb5e43-56d0-40b6-936a-f10f15d2e72f?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/simple-locator/tags/2.0.3/app/API/AllLocationsShortcode.php#L19", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/simple-locator/tags/2.0.3/app/API/AllLocationsShortcode.php#L19" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/simple-locator/tags/2.0.3/app/API/FormShortcode.php#L31", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/simple-locator/tags/2.0.3/app/API/FormShortcode.php#L31" + }, + { + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207747%40simple-locator&new=3207747%40simple-locator&sfp_email=&sfph_mail=", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207747%40simple-locator&new=3207747%40simple-locator&sfp_email=&sfph_mail=" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "muhammad yudha" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] }